There are only six months to go before the General Data Protection Regulation (GDPR) comes into effect, but some businesses are not even thinking about it yet, or are only just starting to.
In the first of three blogs on GDPR compliance, we have set out the first steps for starting compliance projects along with some IT Governance solutions should you need any extra help.
1. Establish an accountability and governance framework
The board must understand the implications of the GDPR in order to support the project and allocate the resources required to complete it. A director will also need to be assigned accountability for the GDPR, and data protection risk will need to be incorporated into the corporate risk management and internal control framework.
Our book EU GDPR – A Pocket Guide is perfect for these first stages.
2. Create a project team
A person or team must control this project, and they will need significant understanding of both the business and the GDPR.
Our Certified EU General Data Protection Regulation Foundation and Practitioner training courses will give your team the knowledge and skills required to implement an effective compliance programme and fulfil the data protection officer (DPO) role.
Our book GDPR – An Implementation and Compliance Guide is a useful resource for the project team.
3. Scope and plan the project
Once the GDPR team is aware of the ins and outs of the Regulation, it will need to work out what parts of the business fall within the scope of the GDPR (business units, territories and jurisdictions) and identify which standards and management systems may be affected or could contribute to GDPR compliance, e.g. ISO 27001. Speak to your IT team to find out if there are any projects starting soon that involve personal data, as these will be candidates for privacy by design. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery but also from the inception of the product.
Conduct a data protection impact assessment (DPIA) – DPIAs help organisations identify, assess and mitigate or minimise privacy risks with data processing activities. They’re particularly relevant when a new data processing system, process or technology is being introduced so that you can implement privacy by design.
In the next blog: steps 4–6.
Don’t delay until May 2018, as our services get booked up in advance.
There are many upcoming EU GDPR Foundation and Practitioner training courses at multiple locations across the country on a weekly basis, with spaces still available in December and January.
London: 19 December
Many more dates and locations are available.
London – 08 – 12 January
Birmingham: 15 – 19 January
Newcastle: 22 – 26 January
Book both courses at the same time to save 15%. View more >>